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Abstract 

The security of wireless sensor networks is an active 
topic of research where both symmetric and asymmetric 
key cryptography issues have been studied. Due to their 
computational feasibility on typical sensor nodes, sym- 
metric key algorithms that use the same key to encrypt 
and decrypt messages have been intensively studied and 
perfectly deployed in such environment. Because of the 
wireless sensor's limited infrastructure, the bottleneck 
challenge for deploying these algorithms is the key dis- 
tribution. For the same reason of resources restriction, 
key distribution mechanisms which are used in tradi- 
tional wireless networks are not efficient for sensor net- 
works. 

To overcome the key distribution problem, several 
key pre-distribution algorithms and techniques that as- 
sign keys or keying material for the networks nodes in 
an offline phase have been introduced recently. In this 
paper, we introduce a supplemental distribution tech- 
nique based on the communication pattern and deploy- 
ment knowledge modeling. Our technique is based on 
the hierarchical grid deployment. For granting a pro- 
portional security level with number of dependent sen- 
sors, we use different polynomials in different orders 
with different weights. In seek of our proposed work's 
value, we provide a detailed analysis on the used re- 
sources, resulting security, resiliency, and connectivity 
compared with other related works. 

Keywords; Sensor network security, key pre- 
distribution, deployment knowledge, grid network, com- 
munication efficiency. 
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1 Introduction 

Sensor network consists of a huge number of sen- 
sor nodes which are inexpensive, low-powered and 
resources-constrained smaU devices [S]. The typical 
sensor node contains a power unit, a sensing unit, 
a processing unit, a storage unit, and a wireless 
transceiver (T/R) [1]. The concept of micro-sensing 
and wireless connection in the sensor network promises 
several applications in military, environment, health- 
care, and many other commercial domains [15j . Due 
to sensor nodes resources' constraints, public key algo- 
rithms such like Deffie-Hellman key agreement [7] or 
the RSA Signature [28] are undesirable to be used. In 
spite of recent results on the computational feasibility 
of those algorithms [TTJ [20l [32l [33] , it is still early to 
widely deploy these algorithms since using them will 
expose a vulnerability to denial of service attack (DoS) 
[6l[34]. 

On the other hand, symmetric key algorithms that 
use same key for encrypting and decrypting messages 
are desirable in the sensor network. This desirability is 
due to the computational lightness on the typical sen- 
sors. From another point, due to the weak infrastruc- 
ture of the sensor network, traditional secret key distri- 
bution mechanisms such like the Key Distribution Cen- 
ter (KDC) can not be used. The main issue therefore 
is summarized in how to distribute secret keys or key- 
ing material that are responsible on generating secret 
keys among different sensor nodes . Since the man- 
ual modification of the sensors' contents is undesirable 
after the in-field deployment phase, several key pre- 
distribution schemes that assign and distribute keying 
material or secret keys in an off-line phase have been 
proposed. In the following section, we review some of 
those schemes followed by our main contribution. 

1.1 Related Works 

Two of the early works in |2| [3] are widely known 
for their novelty. Considering a network that consists 
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of N nodes, in the first work by Blom at. al. [5] a sym- 
metric matrix of size N x N is required to store the 
different TV^ keys for securing communication within 
the entire network. Node Si G N has row and column 
in the matrix. If two nodes Si , Sj would like to com- 
municate, they use the entries Ey in Si side and Eji 
in Sj side which are equal (i.e., Ey = Eji since the 
matrix is symmetric). To reduce the memory require- 
ments, a slight modification is introduced by Du et al. 
[S]. The following are defined, a public matrix G of 
size (A -|- 1) X A'^ and a private symmetric matrix D of 
size (A -I- 1) X (A + 1) where D entries are generated 
randomly. Also, A = (D • G)'^ of size x (A + 1) is 
defined. For a node Si, row Ri in A and column Ci in 
G are selected. When two nodes Si, Sj would like even- 
tually to communicate securely, they firstly exchange 
their Ci,Cj then kij = Ri • Cj is computation in the 
side of Si and kji = Rj • Ci is computed in the side of 
Sj. Note that kji = kij based on the symmetric prop- 
erty of A, D, G. The second work by Blundo et. al. 
[3] proposed three protocols for secure dynamic confer- 
ences [3]- The 2-conferences protocol uses Symmetric 
Bivariate Polynomial (SBP) to distribute keys for N 
nodes. The SBP has the following general form: 

t 

f{x,y) = X! "ij 2;' 2/-^, where (a^ = Uji) (1) 

This polynomial is of degree t where t < N. For a node 
Si with identifier IDi, the share g{y) expressed in Eqn[2] 
is calculated and loaded to Si's memory for generating 
future secret keys. Similarly, for two nodes Si,Sj that 
would like to communicate securely, kij = g^{j), kji = 
g-' (i) are evaluated locally in the corresponding sides 
and used respectively as secret keys. 

9\y)^.fihy) (2) 

In the sensor networks era, the early scheme of key 
pre-distribution specifically for WSN is introduced by 
ESCHENAUER and Gligor (a.k.a., EG scheme) [TO] . 
In EG scheme, each node is let to randomly pick a 
key ring Sk of size k from a big keys pool of size P. 
The picking process maintains a probabilistic connec- 
tivity between any node and other nodes in the entire 
network. This connectivity is noted as Pactuai and de- 
fined as Pactuai = 1 - jpz^jm- UOdcS Sj,Sj 

share a key k : k £ Ski ^ they both can use 
as a secret key. Otherwise, a path key establish- 
ment phase via single or several intermediate node(s) 
is performed. In [10] the usage of memory is reduced, 
however, a frail resiliency is resulted (i.e., if a small 
number of nodes are compromised, big communication 
fraction of non-compromised nodes is disclosed). To 



improve the resiliency, Chan et. al. proposed the 
Q-COMPOSITE scheme [4]. Using the same procedure 
of EG, a key between two nodes Si,Sj is available if 
and only if S'j,. n Sk- is a set of q number of keys. 
If G {<n5fcj, hash(ki||k2,...,||kq) 

is used as kij., kji. Otherwise, intermediate nodc(s) 
are used. More analytical analysis on the probabilistic 
schemes is shown by KwANG and KiM in [13] 

In addition to improving Blom's scheme in [5], Du 
et. al. proposed two schemes for key pre-distribution 
in [8l [9] . In the early one they introduced a deploy- 
ment knowledge based scheme that improves Blom's 
[2] by avoiding the unnecessary memory, communica- 
tion, and computation with reasonable connectivity [8] . 
In [HI, a multi-space matrix scheme based on [21 dnj 
is introduced. A r number of private matrices D 
is selected randomly out of lo pre-constructcd matri- 
ces providing connectivity Pactuai that is expressed as 
Factual = 1 - -(i^^i^y!^- Different As' are created us- 
ing the different Ds'. r rows of the different As' are 
selected and assigned for each node. For s^, Sj, if they 
have a common space Tij : Tij G n Tj , the rest of 
Blom's scheme is performed. Otherwise, an interme- 
diate node that has an intermediate space is used to 
construct a path key in a path key establishment phase. 
Even though much memory and communication are re- 
quired and smaller connectivity is generated, this work 
provides a higher resiliency than in both of RG [4] and 
Chan et. al. [10]. For more accuracy, different deploy- 
ment structures with practical error measurements and 
the probability distribution functions pdf based on [S] 
are introduced by Ito et. al. in [TJ 

Simultaneously, Liu et. al. proposed several 
schemes in [THl HI] for key distribution which are 
mainly based on Blundo et. al. [3]. In [TH], the 
polynomial-based mechanism is used to assign several 
polynomials for each node in a similar way of EG 
scheme [10]. Two nodes can establish a secret key if 
and only if they share a common polynomial. Other- 
wise, the two nodes use an intermediate node for es- 
tablishing a secure path. 

The most significant work by Liu et. al. is in [TSlll9j . 
In both works, for a network of size N, a two dimen- 
sional deployment structure that constructs a grid of 
^1/2 X ^1/2 

is suggested. Different nodes are deployed 
on different intersecting points and different polyno- 
mials are assigned for the different rows and columns 
of the grid. For two nodes Si and Sj, if Ri = Rj or 
Ci = Cj, (i.e., both nodes have the same polynomial's 
share), a direct key establishment is performed. Else 
(i.e., Ri 7^ Rj and Ci 7^ Cj), an intermediate node 
is used in an a path key establishment phase. In this 
work, even if a big fraction of nodes Pc of the overall 
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network size N is compromised, the network remains 
connected via alternative intermediate nodes. The big 
fraction pc herein is measured to be Pc < 60% of N. 
Also, an n-dimensional scheme is introduced in [TO] , 
Finally, the deployment knowledge for special purposes 
and applications using probabilistic manner has been 
studied in [26l [27] while a general security architecture 
has been proposed in pS] , 

1.2 Our Contributions 

In this paper we introduce a new scheme using 
the Hierarchical Grid as a deployment framework and 
Blundo's scheme as key generator (a.k.a., keying ma- 
terial). Through this paper, our main contributions are 
the following: 

• Provide a scalable, robust, and novel framework 
for the key pre-distribution that gives a perfect 
connectivity value (i.e., the connectivity is always 
equal to '1' using the single hop communication 
manner) to establish a pairwise key. 

• Optimize the usage of the different network re- 
sources, mainly, communication overhead, mem- 
ory usage, and required computation. 

• Analyze and provide a mathematical model of our 
scheme's performance. 

• Provide and discuss the alternative against any 
possible security attack against our scheme. 

We take advantage of different flat deployment zones 
in a hierarchical grid representation for deploying the 
different sensor nodes. Based on each sensor node's lo- 
cation, several symmetric polynomials like these intro- 
duced in [3] are assigned to generate secret keys. Each 
polynomial in the assigned group for every sensor node 
is used for securing communication within a targeted 
zone. As a result, each node can communicate with 
any other node in the network using the shared keying 
material. We show how the connectivity approaches a 
prefect desirable level in both of the random and non- 
random cases. As well, we show the value of our scheme 
against some given attacks and study the its security 
under the amount of consumed resources. 

1.3 Paper Structure 

The rest of the paper is organized as follows. Sec- 
tion [2] introduces the notations and definitions which 
arc used throughout the paper and Section [3] intro- 
duces our scheme. We consider an extensive analysis 



of our scheme's connectivity as a main interesting is- 
sue in Section [4] In Section [5l we consider the analysis 
of resources consumption and the security analysis in 
Section [S] considering several attacks. Finally, we intro- 
duce a comparison between our work and set of previ- 
ous works in Section [7] followed by concluding remarks 
in Section [8] 

2 Notations and Definitions 

The following definitions and notations are used 
throughout the rest of this paper. 

2.1 Definitions 

Definition 1 (Network order n). a network design pa- 
rameter that indicates the size of the network and the 
number of polynomials used in each sensor node. 

Definition 2 (Basic grid or basic zone), set of sensor 
nodes in a geographical area that initially use the same 
polynomial of degree to 

Definition 3 (Polynomial Order O). an integer that 
decides the scope where the polynomial is used to es- 
tablish a secure pair-wise key, where O G {1, 2, . . . , n}. 
Each node has some minimum order of 1 and maxi- 
mum order of n 

Definition 4 (Polynomial Degree tg). a security pa- 
rameter that indicates the strength of the polynomial 
against the compromise and expresses how many dif- 
ferent nodes that carry shares of this polynomial must 
be compromised for revealing the polynomial itself for 
an attacker. The subscription to n expresses the or- 
der of the polynomial. 

2.2 Notations 

The notation in table [1] is used through the rest of 
the paper. 

3 HGBS for Pairwise KPD 

Our scheme uses Blundo [5] as a keying material gen- 
erating block to generate different secret keys for dif- 
ferent nodes. The distribution of the keying material is 
performed on sensor nodes deployed in a Hierarchical 
Grid as shown in Figure [TJ Our grid mainly consid- 
ers the routing grid used in [17] with slight modifica- 
tion. This modification relies on using the duplication 
growth factor to move from an order to another. In our 
work, we aim to provide each sensor node with a set of 
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Table 1 . Notation 



Term 


Indication 


n 


the network order 


N 


number of sensor nodes in the entire network 


m 


number of sensor nodes in the basic grid Bz 


k 


modes distribution unit through the network 




basic zone (also, Basic Grid) 




order of the x*'' network grid 


to 


degree of the basic polynomial in the B^ 




degree of the polynomial for grid of order n 




sensor nodes 


ID, 


identifier of the sensor node i 


Gn 


number of the Basic Zones in the network 



.G3X, 
G2X 
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different polynomials for establishing secret keys. The 
main rule of the different polynomials is to make sev- 
eral zones with varying number of nodes approachable 
by a given node. In the following subsections, we pro- 
vide a description of our scheme including the following 
points: the deployment grid overview, node identifica- 
tion mechanism, keying material generation, secure key 
establishment and the scheme parameters adjustment. 



3.1 Overview of the Deployment Grid 



Consider a network that consists of N sensor nodes. 
The different nodes are deployed in a network of grid 
structure as of Figure [T] In this deployment struc- 
ture, the network is divided into n hierarchical orders of 
grids. Each order i consists of 2*~^ basic zone. The ba- 
sic zone Bz is a geographical region bounded by [2k, 2k] 
dimensions (i.e., length and width). Also, k is identified 
as the a uniform distribution unit of the sensor nodes 
in the WSN and the length unit as well. The number of 
the nodes m in is (2fc)^. The order defined earlier is 
used to represent the growth of the network. The high- 
est order 0„ contains G„=2"^^ number of basic grids. 
The total number of nodes in the network is TV where 
N = m X Gn = {2kf x 2""^ As shown in Figure [2 
Bz is any grid with the dimensions [G1X,G1Y] which 
has Oi. Similarly, the dimensions [G2X,G2Y] are con- 
sidered for grids of order 2 (O2), [G3X,G3Y] will be 
considered for O3, and so on imtil 0„. An obvious 
note to mention here is that any zone which belongs 
to order Oa includes twice as much as the number of 
nodes in zone Oa-i- 



Figure 1. Sensor nodes deployment in a hier- 
archical grids network 



3.2 Node Identifier 

Our scheme uses a smart identification material (ID) 
which is unique for each node through the network. 
The function of the ID in our scheme is to identify the 
node within the network, to represent the keying mate- 
rial (i.e. polynomials) of the node, and to provide "an 
extra sense" of the node location assuming a limited 
mobility. 

The use of the hierarchical grid with a duplicat- 
ing growth factor makes it possible to represent the 
different basic zones of Figure [T] in a binary tree as 
shown in Figure [21 In this tree, the height represents 
the maximum order and the number of leaves repre- 
sents the number of basic zones in the network. For 
each leaf node, the attached numbers are sequences 
that represent the identifiers of different nodes within 
the same basic zones (i.e. local ID in a Bz where 
1 < IDiocai < to)- The different polynomials are as- 
signed to the internal nodes of the tree. In the tree, 
left branches are assigned to "0" bit value and right 
branches to "1" bit value. The final sensor node's ID 
is the binary string of tracing the path from the root 
to the end leaf that the sensor belongs to concatenated 
with the local ID. This structure of ID is shown in 
Figure [3] The length of this ID can be expressed as 
follows 

\ID\ =n+ Mm)-] (3) 
Where m is is the number of nodes in the basic zone. 



4 




Figure 2. Node ID generation determining 
node's location in WSN 
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Figure 3. Node ID structure in the hierarchical 
grid 



For a network with a large size, n can be considered 
a constant for a flexible design that accepts dynamic 
network growth. 

3.3 Key Material Assignment 

Several keying material (or simply polynomials) is 
assigned for the different sensor nodes. Using the grid 
deployment structure as of Figure [TJ different polyno- 
mials with the appropriate security parameter are as- 
signed for the node based on which grids of which order 
it belongs to. Initially, SBP of degree which is as- 
signed to the corresponding basic grid is assigned 
for establishing secret keys for the pairs of nodes within 
the same Bz- The usage of this polynomial will pro- 
vide a value of 2n-\ direct connectivity. The other 
polynomials are used for the connectivity to reach the 
desirable one based on the node's location and granting 
the corresponding connectivity. 

We assume that the nodes which are deployed within 
the same basic grid have the higher probability for 
communicating with each other and those outside the 
concerned basic grid have a less communication prob- 
ability. This assumption is important since the usage 
of the polynomials with small degree that require a 
less computation power is so frequent and the usage 
of the higher degree polynomials is less frequent. The 
procedure of generating the keying material and the 



assignment for the different sensor nodes is shown in 
Algorithm [T] 



Algorithm 1: Keying material assignment 
Input ; Network order n, set of all nodes' 

IDs, set of path IDs d. Network size 
N 

Output: n polynomials shares for each node 

1 for i = 1 to n do 

2 for j = to do 

3 p[n — j + <^SBP of degree t 

4 end 

5 for a; = 1 to iV do 

6 fcj; [?i — Z + 1] = 

p[n-i + l][d/(2('-i)](/i?„j/) 

7 end 

8 end 



3.4 Key Establishment 

To secure the communication between nodes , Sj , 
secret key generation is required. Considering the ID of 
both nodes and the polynomial set generated by the al- 
gorithm in Algorithm [l] firstly, a polynomial f*{x,y) 
is selected out of the shared polynomials in the two 
nodes. The selected polynomial must be common in 
both nodes' polynomials with the minimum t-degree 
(i.e., referring to Figure^ the the most close parent to 
the leaves of both nodes Si, Sj). To establish the secure 
key. Algorithm [2] is applied. Note that, this algorithm 
is applied in both of s^, Sj to generate the pairwise key. 
Also, only the polynomial share is used after its evalua- 
tion in algorithm in Algorithm [T] as expressed in Eqn[5) 



Algorithm 2: Key establishment procedure 
Input ; Path identifiers di,dj, node's sj ID 
(j), set of node's i polynomials 
shares; kiW 
Output: Symmetric key Kij. 

1 Begin; 

2 for c = to di. length — 1 do 

3 if di[c] = dj[c] then 

4 g{y) = h[c\; 

5 Break; 

6 end 

7 end 

8 ki] = g{j) 
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3.5 Parameters Adjustment 

The critical parameter in our scheme that control 
the resources usage and resulting security is the poly- 
nomial degree to and the relationship between to and 
other polynomials' degrees in the different orders. A 
less important factor in our scheme's analysis is the 
communication traffic function (CTF). 

The degree to is totally dependent on the number of 
nodes in the basic grid [3] . In , the authors assigned 
to to be 20. However, this assumption does not provide 
correlated dynamic security strength with the change 
of network size. Generally, if we consider < a < 1 as 
a security parameter, tg can be expressed as t = a * m 
for more reliable security assumption. Using the same 
memory as in |12| . to can be assigned to 0.6 x m which 
will make the basic zone secure till the compromise of 
0.6m + 1 number of nodes that belong to the same grid. 
For a different numbers of nodes in the network. Figure 
[5] shows the required memory in KB to store the dif- 
ferent polynomial coefficients. On the other hand, the 
remaining {n — l)-polynomials' degrees ^i, i2, • ' ' i tn-i 
are to follow one of the following approaches: (i) To 
have the value of to and the growth of the network order 
will lead to the same value of the polynomial growth, 
(ii) To consider the different t degrees independently. 

For the communication traffic function (CTF), our 
deployment scenario considers that the nodes which are 
mostly to communicate are the neighbors in the same 
basic grid while other nodes in other grids have a less 
traffic fraction. In the analysis, we consider two differ- 
ent functions: The geometric series distribution func- 
tion and the exponential distribution functions. Note 
that, the summation of probabilities for the commu- 
nication from a given zone that represents a set of 
given nodes to all other zones is equal to one (i.e. 
Y^7=iPpdf = !)■ For a geometric CTF, c is determined 
satisfying EqnUl 

n 

- E (^) - 1 (4) 

1=1 

4 Connectivity 

Dividing the network hierarchically provides a con- 
nectivity using more than one keying material (i.e., 
symmetric polynomials). This connectivity enables dif- 
ferent nodes belonging to different basic grids to com- 
municate securely in 1-hop fashion. Let us consider C 
as the provided connectivity. Based on the structure of 
the grid, the polynomial assigned to provides con- 
nectivity of Ci which is expressed as = 
In general terms, the polynomial for the i*'' order grid 



provides connectivity of — tt—; for the nodes 

that belong to it. Thus, for the highest order, the pro- 
vided connectivity is = 1 which exclusively 
includes all of the below orders' connectivity (i.e., Ci 
for i = to n — 1). 

For a more general conception, we consider two 
types of connectivity. The first type conceptualize the 
connectivity that considers sensor nodes Si^Sj in the 
network regardless to their location while the second 
type consider sensor nodes according to their precise 
minimum-weighted polynomial that they share. For 
the first case, nodes are randomly deployed in the field 
and the traffic does not have a regular pattern. The 
connectivity is expressed as the probability p, for the 
two nodes Si, Sj to be in the same grid. Similarly, this 
can be formulated and expressed as the probability for 
two nodes within some order order to exactly belong 
to the same minimum order z which enables establish- 
ing keys with minimal weighted polynomial. Also, it 
can be expressed as the probability of randomly pick- 
ing two nodes with the condition that they belong to 
the same order. This probability is shown in Figure [6] 

/2(^-i)m\ fN\ /2(^-i)to\ /2("-i)m\ 

2 JUJ ^[ 2 )[ 2 ) 
^ (2-im)(2-im-l) ^ , f 2^-^m-l \ 
(2"-im)(2"-iTO - 1) ^ '\2"-^m-l) 

(5) 

Consider a, 6 as two integers such that a > > 1, | 
is always greater than or equal to f5x- Applying this 

to EqnOwe get that ^^l-iZ-^i) - From aU, we 

get: 

< (2('~-"))' (6) 

On the other hand, the second type of connectivity con- 
siders two nodes Si, Sj, where their used polynomial to 
generate secret key is previously determined based on 
the fixed deployment structure and traffic model. A 
connectivity Ci is determined as the provided certain 
connectivity provided by the minimal network order 
that the two nodes belong to. This is typically equiv- 
alent to the connectivity provided by any polynomial 
assigned for any the given polynomial order as in Eqn[7l 



For both pz and Ci, the overall connectivity is de- 
fined as the provided ability to each node to commu- 
nicate securely with other nodes in secure manner re- 
gardless to the order they belong to and the shared 
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Figure 4. Connectivity with different traffic 
parameters 



can be expressed as 



(9) 



Where n is the largest polynomial order in the network 
and k is the distribution unit of nodes. The relation- 
ship between k and n for different network size N and 
ranging n is shown in Figure [5] and Figure [51 




polynomial they use. In other words, the overall con- 
nectivity is determined as the value of pz or Ci when z 
or i go to n as follows: 




(8) 



For a general connectivity form that considers de- 
gree of randomness which determines each node's 
knowledge of the deployment structure given and the 
accuracy of communication model description |22] , we 
define f3 as communication pattern's parameter where 
C = (2*-")^ and 1 < /? < 2. Figure H shows the 
connectivity provided by the order's polynomials ac- 
cording to different (3 values. 

5 Overhead Analysis 

In this part we consider our scheme's overhead. This 
overhead is mainly represented by the memory required 
for the keying material representation, the computa- 
tion required for a single bivariate polynomial's evalu- 
ation on GF{q) in a single variable, and the commu- 
nication required for exchanging the concerned sensor 
node's identifiers. 



Figure 5. The relationship between n, k, N for 

< n < 2. 




Figure 6. The relationship between n, k, N for 

< ?i < 10. 



5.1 Network Capacity 



Our scheme uses the different resources of the net- 
work in a reasonable manner. The reduction in using 
any resource can affect other correlated resources and 
downgrade the overall performance. In this section, we 
measure the cost of our scheme by analytical and math- 
ematical formulas in terms of the network resources. 
From the details above, the total network capacity N 



5.2 Memory Overhead 

The amount of memory which is required per node is 
to represent the node ID shown in Eqn[3]and the differ- 
ent n-polynomials' shares. For a polynomial f{x,y) of 
degree to whose coefficients in GF{q), {to + 1) x \g{q) 
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bits are required as a representation space. For the 
memory use, we introduce two different approaches: 

1 . To assign different degrees for the different polyno- 
miais regardless to the number of the distributed 
shares of the polynomial. 

2. To make the growth of the different polynomials' 
degrees same as that of the growth of the number 
of the nodes that hold those polynomials' shares. 
Thus, all polynomials in the first order have degree 
to and the i*'' order polynomials have degree of 
2*-i X tn. 




The first case cost in bits is represented in Eqn [TUl 
as follows: 



Ah 
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The first two terms are for the ID representation and 
the third term for n-polynomials representation. The 
second case is shown in Eqn I 111 where the third term is 
the summation of the required memory to represent n 
polynomials of different degrees and a is the security 
parameters, Pweight is f{x,IDys {to + l)-coefficients 
representation memory. 



M2 = 71 + 



Ig 



N 



Pweight ^ ^ ) 



(11) 



Also, the memory requirement in Eqn [TT] can be 
considered as a geometric scries with base r in terms 
of the highest order's polynomial (i.e. r = i). For 
this representation, the summation is held for n terms 
giving the following: 



= (aN X lg{q)) X 



n-l , 



1=0 



(12) 



Recall that r : — 1 < r < 1, the summation of the first 
n terms is Sn — { ^"x-l j • This gives the following: 



• IX n + l ^ 



M3 = (aAflg(g)) 



(13) 



Figure 7. The required memory for different 
security parameters and network size in our 
scheme. 



Figure [7] shows the required memory for different 
network size and security parameter a. Also, Fig- 
ure [5] shows the required memory for the Blundo's sin- 
gle polynomial representation. Note that, the memory 
requirements is linearly dependent on both A^ and a. 

5.3 Computation Overhead 

Each time a key is required, the evaluation of poly- 
nomial /(a:, /Z?) of degree t is performed in single vari- 
able. Due to the difference of t degree shown earlier, 
different scenarios are considered. In case of using the 
first memory scenario, the required computation can 
be summarized in a single polynomial f{x,ID) of de- 
gree to evaluation regardless to the degree. In the sec- 
ond scenario where we assign different degree according 
to the growth factor for the different network orders, 
the communication pattern and communication prob- 
ability function based on the location determines the 
required polynomial to be computed and the required 
computational power. 

From other point, evaluating a polynomial of degree 
t requires 2t number of multiplications 0. Based on 
[HI; using the long integer multiplication, it requires 
64 number of 8-bit word multiplication to multiply two 
integers in finite field of g = 2^^. In contrast, it takes 
only 27 word multiplication on the same platform us- 
ing Karatsuba-Ofman algorithm [16]. Thus, the re- 
quired word multiplication for multiplying two integers 



^ Recall that the computational weight of n-bit n-intcgers ad- 
dition is equivalent to two integers multiplication with the n 
length. Initially, the required number of multiplications is 24 — 1 
and the additional one due to the addition operation |16l 
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N 







Required 8-bit word mutliplications 



Figure 8. Memory requirements for stor- 
ing the polynomial's coefficients in Blundo's 
scheme with varying a. 



Figure 9. Computation overhead for two dif- 
ferent Communication Traffic Functions. The 
used parameters are ta = 60, = 0.6, n = ll 
which supports up to TV = 204800. 



of length 16 and 64 bits consumes 16 8-bit word mul- 
tiplications. This type of different length operations is 
required for accumulating a long enough key that fits 
with the required standard key length (e.g. DES of 56 
bit, AES of 128 and RC5 of 640. 

CPavg={^^{p^CPu)^+c (14) 

Eqn. [13] expresses the required computation in 
terms of the number of multiplications in G¥{q)^ 
where c is computational power required for two bi- 
nary strings comparison. These strings represent the 
polynomial path identifier part. Also, pi is the proba- 
bility that two nodes reside in different (i — 1)*'' grids 
and CPt- is the required computational power for the 
jth qj.(Jq]. polynomial evaluation. For two different com- 
munication traffic functions. Figure [5] shows the com- 
putational consumption growth curve in terms of the 
number of multiplications in G'F{q) according to the 
growth of the network size. 

5.4 Communication Overhead 

Our scheme does not require any extra means of 
communication except of the nodes' identifiers ex- 
change which costs Ig(A^) bits transmission as discussed 
early in the ID representation requirement. The ID it- 
self is expressed in a general form as of Eqn [3l 

^The RC5 1311 is the most likely to be used on the typical 
sensor node platform because of its small code size without a 
need for extra tables I25| . Thus, the largest expected finite field 
is of 64 bits length. 



5.5 Reducible Memory Schemes 



Since the memory limitation is the bottleneck for 
any successfully design in wireless sensor network, any 
set of polynomials with an order greater than a desir- 
able d such that 1 < c? < n can be discarded by giving 
up the direct connectivity. To ensure an alternative 
connectivity through intermediate node, a virtual grid 
as of [TH] can be applied. Once this kind of grid is ap- 
plied, the higher order polynomials are removed and 
replaced by smaller polynomials that represent the vir- 
tual grid. Therefore, the final required memory is de- 
pendent upon how many orders are discarded but al- 
ways less than the required memory overhead expressed 
in[Il]or[ll 



6 Security Analysis 



The security of our scheme follows the same anal- 
ysis introduced in [31 [TH] . The security of all of these 
schemes is based on that a network that uses a bivariate 
polynomial of degree t is secure against the compromise 
as long as the number of revealed shares is less than 
or t+ 1. In this section, we consider several attacking 
scenarios against our scheme. This includes the node 
replication attack [2j, the Sybil attack [23], Denial of 
Messages (DoM) Attacks [H], and Denial of Service 
(DoS) Attacks [in. 
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6.1 Compromising Effects and Resiliency 

6.1.1 An Attack Against Nc Number of Nodes 

In case of compromising a set of nodes whose size is Nc 
that is less than to, the fraction of the affected nodes 
other than those which are compromised is 0. This 
apphes for any kind of attack strategy including the 
random and selective one [12] . 

6.1.2 An attack against 

An attack against the single basic zone can be suc- 
cessfully performed through the compromise of num- 
ber of nodes where Nc > t -\- 1. By compromising 
t+1 number of sensor nodes and revealing their secret 
shares, the main polynomial of the concerned node can 
be recovered [5D]. Even though, this attack looks more 
difficult due to that 2"~^ number of polynomials of de- 
gree t within the network where the probability Pr for 
to nodes to be belonging to the same polynomial shares 
is in Egn llSI 




The probability Pr indicates that the number of sensor 
nodes to be compromised by revealing its own secret 
shares should be big enough to guarantee that the at 
least to number of shares belong to a specific polyno- 
mial. This primarily based on the polynomial degree 
to and a, however, over 60% of the network size is a 
reasonable threshold for a = 0.6 

6.1.3 An attack against the whole network 

The attack against the whole network can not be in 
synchronized way. However; in the worst case, it is 
possible to compromise the entire network by compro- 
mising all of the polynomials f(x,y) of to one by one. 
To compromise Bz requires to nodes to be compro- 
mised. Since the network consist of Gn different Bz, it 
requires to compromise Gn x tp which is a big fraction 
(i.e. more than 60% of the network size). Without this 
amount, the fraction of affected nodes will be less than 
50% of the network size. 

6.1.4 Selective versus random node attack 

Even if the nodes are deployed randomly, the knowl- 
edge of the nodes deployment and the assigned poly- 
nomials for each group and the ability to distinguish 
the different nodes based on their Bz enables a se- 
lective attack that ease the attackers task. On the 



other hand, the random attack where the attacker's 
knowledge about the deployment strategy of the sev- 
eral nodes makes it harder to reveal a given polynomial 
that generates secure keys for a given polynomial as 
shown previously in Eqn ll5l 

6.1.5 Sybil and node replication attacks 

There are two problems belonging to the dynamic 
growth of sensor network. Sybil attack [53] is done 
fallaciously by using more than one ID for the same 
node j and node replication attack [24] which is per- 
formed using the same ID more than one time in the 
network. Our work resists against these threats be- 
cause it requires a structured ID which is unique with 
a uniform structure over the entire network. When 
an attacker fabricates a structured ID, it should follow 
the limited structure shown previously and deploy the 
node in specific area to communicate within the same 
Bz. 

6.1.6 DoM and DoS attacks 

Denial of Messages [21] is the ability of some nodes 
(i.e., attacker's nodes) to deprive others of receiving 
some broadcast messages. Our framework does not re- 
quire any broadcast capability. If any, it will be mainly 
used within the same grid. Thus, the DoM attack will 
only affect a small fraction of the whole network. An 
example of the Denial of Service [34] is "attempts to 
prevent a particular individual from accessing a ser- 
vice" and this mainly happens due to a heavy commu- 
nication or computation because of the key generation 
or any outsider reason like attacker messages flooding. 
In our scheme, all of the computation and communica- 
tion operations are small, and take short time. In the 
second case, to perform a DoS, node replication attack 
is required. 

6.1.7 Man In the Middle Attack (MITM) 

Under the assumption that the radio coverage is 
enough to enable the usage of the different polynomials 
for different targets, the man in the middle attack is im- 
possible. In the case of the reduced memory schemes, 
the man in the middle attack is possible with small 
probability due to that the intermediate nodes are used 
for a limited communication fraction of forwarding. As 
well, each attacker who would like to deploy his own 
sensor nodes to perform the MITM should know the ge- 
ographical location where to deploy the different sensor 
nodes. 
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Table 2. Comparison between our scheme and a set of other schemes in terms of the resources 
usage and the resulting connectivity. The connectivity for the probabilistic key pre-distribution 
schemes is probabilistic while it is certain for other schemes including ours. Also, the polynomial 
degree t differs as shown earlier based on a. 



Scheme 


Communication 


Computation 


Memory 


Connectivity 


GBS [m 


c 


SBP Evaluation 


ID+2 SBP 


■2 

Ari/2_i 


3D-GBS [H] 


c 


SBP Evaluation 


ID+3 SBP 


3 

Ar2/3_,_jvi/3 + i 


Plat-Based [22] 


c 


SBP Evaluation 


ID+3 SBP 


3 

^rl/3 


EG [lU] 




e£±p^lo&(c) 


Sk keys 


(P-2fc)!P! 


CPS 4; 


c 


c 


Sk keys 


rn 
N 


DDHV [9] 


clog2(n X t) 


2 vectors mult. 


T + 1 vectors 


(w-2r)!w! 


HGBS 


c 


SBP Evaluation 


m+?i SBP 


1 



6.2 Blocked Traffic and Its Recovery 

This paper mainly introduces a new framework for 
the key pre-distribution, deployment and smart loca- 
tion based identification. However, when we applied 
Blundo's scheme [2, we obtained that even though 
the order polynomial where 1 < i < ri is compro- 
mised, this will not affect the other network except of 
that amount of traffic (links) within the i*^ order grid. 
Assume the i*^ order SBP is compromised, the fraction 
of the blocked traffic will be ™^^„_i x pi = x pi 
where pi is the fraction of traffic between nodes resides 
in different the {i — 1)*^ order grids. Using the current 
Pi = 2^ distribution will guarantee that the blocked 
communication is always constant value regardless to i 
value. 

On the recovery; when t+l nodes are compromised, 
an alternative secure SBP can be used. In the case 
that an SBP of the c*^ order grid is compromised, the 
SBP for the (c + 1)*'' order grid is used till the sys- 
tem recovery and assigning another polynomial to the 
affected grid. In case of the highest order's polyno- 
mial compromise, the amount of traffic compromised 
will be only ^p(i=„) . If we assume that the fraction is 
decreased by half whenever the order of grid increases 
by 1. the amount will be will be for p„. How- 

ever, the internal network connectivity will not be af- 
fected. Moreover, the majority of the secure traffic in 
the network will not be broken since the deployment 
framework guarantees that most of the traffic is in . 

7 Comparison With Others 

We selected GBS [H, Multi-space 0, EG [10|, Q- 
Composite and RPS [1] for the comparison with our 
scheme. The compared features are communication. 



computation and memory. Table [2] shows this compar- 
ison in terms of those resources. In our scheme, mem- 
ory, computation and communication requirements are 
shown in Eqn [TO] to Eqn [TJ] 

Remark: the constant value of communication in 
GBS depends on whether it's possible to construct a di- 
rect key or not. In case of using an intermediate node, 
the communication cost of the intermediate should be 
considered. The amount of communication traffic in 
our scheme is always constant because of its nature. 

8 Conclusion 

We proposed a novel framework for the secure key 
pre-distribution in the WSN. Our proposed scheme 
uses a hierarchical grid for the sensor nodes deploy- 
ment that bounds the heavily communicated nodes in 
one basic grid that has strong secure keying material. 

We also designed an ID structure which is unique 
for the node and expresses the location as well as the 
keying material to be used. To measure the perfor- 
mance of our framework, we used Blundo's [3] as a 
keying material generator block. Mathematical anal- 
ysis of the computation, communication and mem- 
ory was provided. The different possible attacks were 
lightly touched. The performance shown comparison 
expressed the value of our framework. 

References 

[1] I. Akyildiz, W. Su, Y. Sankarasubramaniam, and 
E. Cayirci. A survey on sensor networks, 2002. 

[2] R Blom. An optimal class of symmetric key gen- 
eration systems. In Proc. of the EUROCRYPT 



11 



84 workshop on Advances in cryptology: theory 
and application of cryptographic techniques, pages 
335-338, New York, NY, USA, 1985. Springer- 
Verlag New York, Inc. 

[3] Carlo Blundo, Alfredo De Santis, Amir Herzberg, 
Shay Kutten, Ugo Vaccaro, and Moti Yung. 
Perfectly-secure key distribution for dynamic con- 
ferences. In CRYPTO, pages 471-486, 1992. 

[4] Haowcn Chan, Adrian Pcrrig, and Dawn Xi- 
aodong Song. Random key prcdistribution 
schemes for sensor networks. In IEEE Symposium 
on Security and Privacy, pages 197-, 2003. 

[5] David Culler, Deborah Estrin, and Mani B. Sri- 
vastava. Overview of sensor networks. In IEEE 
Computer Society, pages 41-49, 2004. 

[6] Jing Deng, Richard Han, and Shivakant Mishra. 
Defending against path-based dos attacks in wire- 
less sensor networks. In SASN, pages 89-96, 2005. 

[7] Whitfield Diffie and Martin E. HcUman. New di- 
rections in cryptography. IEEE Transactions on 
Information Theory, IT-22(6):644-654, 1976. 

[8] Wenliang Du, Jing Deng, Yunghsiang S. Han, Shi- 
gang Chen, and Pramod K. Varshney. A key man- 
agement scheme for wireless sensor networks using 
deployment knowledge. In INFOCOM, 2004. 

[9] Wenliang Du, Jing Deng, Yunghsiang S. Han, 
Pramod K. Varshney, Jonathan Katz, and Aram 
Khalili. A pairwise key predistribution scheme for 
wireless sensor networks. ACM Trans. Inf. Syst. 
Secur., 8(2):228-258, 2005. 

[10] Laurent Eschenauer and Virgil D. Gligor. A key- 
management scheme for distributed sensor net- 
works. In ACM CCS, pages 41-47, 2002. 

[11] Nils Gura, Arun Patel, Arvinderpal Wander, Hans 
Ebcrle, and Shcueling Chang Shantz. Comparing 
elliptic curve cryptography and rsa on 8-bit cpus. 
In CHES, pages 119-132, 2004. 

[12] Dijiang Huang, Manish Mehta, Deep Medhi, and 
Lein Harn. Location-aware key management 
scheme for wireless sensor networks. In SASN, 
pages 29-42, 2004. 

[13] Joengmin Hwang and Yongdae Kim. Revisiting 
random key pre-distribution schemes for wireless 
sensor networks. In SASN, pages 43-52, 2004. 



[14] Takashi Ito, Hidenori Ohta, Nori Matsuda, and 
Takeshi Yoneda. A key pre-distribution scheme for 
secure sensor networks using probability density 
function of node deployment. In SASN, pages 69- 
75, 2005. 

[15] Holger Karl and Andreas Willig. Protocols and 
Architectures for Wireless Sensor Networks. John 
Wiley & Sons Ltd., ISBN-13 988-0-470-09510-2, 
2005. 

[16] Donald Knuth. The Art of Computer Program- 
ming: Semi-numerical Algorithms, volume Vol.2, 
third edition. Addison- Wesley, ISBN: 0-201-89684- 
2, 1997. 

[17] Jinyang Li, John Jannotti, Douglas S. J. De 
Couto, David R. Karger, and Robert Morris. A 
scalable location service for geographic ad hoc 
routing. In MOBICOM, pages 120-130, 2000. 

[18] Donggang Liu and Peng Ning. Establishing pair- 
wise keys in distributed sensor networks. In ACM 
CCS, pages 52-61, 2003. 

[19] Donggang Liu, Peng Ning, and Rongfang Li. Es- 
tablishing pairwise keys in distributed sensor net- 
works. ACM Trans. Inf. Syst. Secur., 8(l):41-77, 
2005. 

[20] David J. Malan, Matt Welsh, and Michael D. 
Smith. A public-key infrastructure for key distri- 
bution in tinyos based on elliptic curve cryptogra- 
phy. In First IEEE Int. Conf. on Sensor and Ad 
Hoc Comm. and Networks, pages 71-80, 2004. 

[21] Jonathan M. McCunc, Elaine Shi, Adrian Pcrrig, 
and Michael K. Reiter. Detection of denial-of- 
message attacks on sensor network broadcasts. In 
IEEE Symposium on Security and Privacy, pages 
64-78, 2005. 

[22] Abcdelaziz Mohaisen, YoungJae Maeng, and Dae- 
Hun Nyang. On the grid based key pre- 
distribution: Toward a better connectivity in wire- 
less sensor networks. In SSDU 2007, to appear, 
pages 00-00, 2007. 

[23] James Newsome, Elaine Shi, Dawn Xiaodong 
Song, and Adrian Perrig. The sybil attack in sen- 
sor networks: analysis & defenses. In IPSN, pages 
259-268, 2004. 

[24] Bryan Parno, Adrian Perrig, and Virgil D. Gligor. 
Distributed detection of node replication attacks 
in sensor networks. In IEEE Symposium on Secu- 
rity and Privacy, pages 49-63, 2005. 



12 



[25] Adrian Perrig, Robert Szewczyk, J. D. Tygar, Vic- 
tor Wen, and David E. Culler. Spins: Security 
protocols for sensor networks. Wireless Networks, 
8(5):521-534, 2002. 

[26] Roberto Di Pietro, Luigi V. Mancini, and Alessan- 
dro Mei. Random key-assignment for secure wire- 
less sensor networks. In SASN, pages 62-71, 2003. 

[27] Roberto Di Pietro, Luigi V. Mancini, and Alessan- 
dro Mei. Efficient and resilient key discovery based 
on pseudo-random key pre-deployment. In IPDPS, 
2004. 

[28] Ronald L. Rivest, Adi Shamir, and Leonard M. 
Adleman. A method for obtaining digital sig- 
natures and public-key crypto-systems. CACM, 
26(l):96-99, 1983. 

[29] Stefan Schmidt, Holger Krahn, Stefan Fischer, 
and Dietmar Watjen. A security architecture for 
mobile wireless sensor networks. In ESAS, pages 
166-177, 2004. 

[30] Adi Shamir. How to share a secret. Commun. 
ACM, 22(11):612-613, 1979. 

[31] William Stallings. Cryptography and Network Se- 
curity: Principles and Practice, 3rd edition. Pren- 
tice Hall, ISBN: 0138690170, 2003. 

[32] Arvinderpal Wander, Nils Gura, Hans Eberle, 
Vipul Gupta, and Sheueling Chang Shantz. En- 
ergy analysis of public-key cryptography for wire- 
less sensor networks. In PerCom, pages 324-328, 
2005. 

[33] Ronald J. Watro, Derrick Kong, Sue fen Cuti, 
Charles Gardiner, Charles Lynn, and Peter Kruus. 
Tinypk: securing sensor networks with public key 
technology. In SASN, pages 59-64, 2004. 

[34] Anthony D. Wood and John A. Stankovic. Denial 
of service in sensor networks. IEEE Computer, 
35(10):54-62, 2002. 



13 



